Browser Autofill Auditor

Consumer

Original Idea

Browser Autofill Auditor A browser extension that scans your saved passwords and autofill data, flags weak or reused credentials, and suggests improvements.

Product Requirements Document (PRD): Browser Autofill Auditor

1. Executive Summary

The Browser Autofill Auditor is a privacy-first browser extension designed to bridge the gap between native browser password storage and professional password managers. While billions of users store credentials in Chrome and Firefox, these browsers lack deep security auditing. This tool provides local-first analysis of credential entropy, cross-site reuse detection, and breach monitoring via k-Anonymity, all while ensuring that plain-text passwords never leave the user’s device.

2. Problem Statement

Users frequently store insecure, outdated, or reused credentials in browser native password managers. Native managers lack visibility into the user's overall security posture. Furthermore, Manifest V3 restrictions and the divergence between Chrome’s restricted password access and Firefox’s open browser.logins API make it difficult for users to get a unified security audit without manually exporting sensitive data.

3. Goals & Success Metrics

  • User Security Health: Increase the average user "Security Score" by 25% within the first 3 months of use.
  • Scan Adoption: Achieve an 80% completion rate for the "Initial Deep Scan" user flow.
  • Retention: Maintain a 40% Week-4 retention rate by providing ongoing breach monitoring alerts.
  • Privacy Trust: Zero plain-text password transmissions (verified by open-source auditability).

4. User Personas

  • Privacy-Conscious Pete: A technical user who refuses to use cloud-based password managers but wants to ensure his browser-stored local logins are strong.
  • Non-Technical Nancy: A general internet user who uses the same password for 20+ sites and needs a simple "Health Score" and direct links to fix issues.
  • Remote Employee Robert: Uses a personal laptop for work and needs to ensure no corporate-related credentials have been leaked in recent breaches.

5. User Stories

  • As a user, I want to run a local scan of my saved passwords so that I can see which ones are weak without uploading my vault to a server.
  • As a user, I want to be alerted if any of my passwords appear in a known data breach so that I can change them immediately.
  • As a user, I want a single "Security Score" dashboard so that I can quickly understand my risk level at a glance.
  • As a user, I want direct links to the "Change Password" pages of vulnerable sites so that I can take action efficiently.

6. Functional Requirements

6.1 Core Audit Engine

  • Entropy Analysis: Utilize zxcvbn-ts for localized pattern matching and guess-resistance estimation.
  • Reuse Detection: Identify identical SHA-256 hashes of passwords across different domains.
  • Protocol Audit: Flag any credentials used on http:// (unencrypted) sites.
  • Breach Checking: Implement k-Anonymity checks against the Have I Been Pwned (HIBP) API via a Node.js proxy.

6.2 Security Health Dashboard

  • Aggregated Scoring: A 0–100 score based on entropy, reuse, and breach status.
  • Risk Categorization: Filterable list of "Critical" (Breached), "High" (Weak/Reused), and "Low" (Secure) accounts.
  • Trend Tracking: A visual historical chart showing score improvements over time.

6.3 Browser Specific Logic

  • Firefox: Full automated scan using the browser.logins API.
  • Chrome: Passive monitoring of logins (capturing on-fill) and a "Manual Audit" flow allowing users to upload a CSV export for a local-only one-time audit.

7. Technical Requirements

7.1 Tech Stack (2026 Standards)

  • Frontend: React 19.2.3 using Actions and useActionState for form handling.
  • Styling: Tailwind CSS 4.1.18 using the Oxide engine and CSS-first configuration.
  • Build Tool: Vite 7.0.x.
  • Backend (Proxy): Node.js 24.13.0 (LTS) with Express 5.1.0 (native Promise support).
  • Database: IndexedDB for local metadata, optimized with getAllRecords().
  • Processing: Offscreen Documents + Web Workers for non-blocking CPU-intensive entropy analysis.

7.2 Security Architecture

  • Encryption: Web Crypto API utilizing AES-GCM (256-bit) for metadata and PBKDF2 (600,000 iterations) for local key derivation.
  • Hashing: SHA-1 (5-character prefix) for HIBP k-Anonymity; SHA-256 for local duplicate detection.
  • CSP: Manifest V3 compliant with script-src 'self' and host_permissions for the proxy API.

8. Data Model

Entity: CredentialMetadata (IndexedDB)

| Attribute | Type | Description | | :--- | :--- | :--- | | id | String (PK) | Unique identifier | | siteUrl | String | Domain of the credential | | username | String | Obfuscated username | | pwdHash | String | SHA-256 hash (for reuse detection only) | | entropyScore | Number | 0-4 score from zxcvbn-ts | | isBreached | Boolean | Status from HIBP | | lastChecked | ISO Date | Timestamp of last breach check |

Entity: AuditResult (IndexedDB)

| Attribute | Type | Description | | :--- | :--- | :--- | | timestamp | ISO Date | When the scan occurred | | healthScore | Number | Calculated aggregate score | | vulnerabilityCount| Object | Breakdown of weak/reused/breached counts |

9. API Specification (HIBP Proxy)

Endpoint: POST /api/v1/check-breach

  • Payload: { "hashPrefixes": ["ABC12", "DEF34"] } (Max 10 per request)
  • Response:
{
  "ABC12": [
    { "suffix": "GHIJKL...", "count": 452 },
    { "suffix": "MNOPQR...", "count": 12 }
  ]
}

10. UI/UX Requirements

  • Bento Grid Layout: Use Tailwind v4 container queries to show security widgets (Score, Quick Fixes, Trend Chart).
  • High-Trust Minimalism: Neutral tones (Zinc-50) with high-contrast semantic colors (Emerald-500, Rose-500).
  • Circular Health Gauge: An animated SVG gauge on the landing page showing the 0-100 score.
  • Fix-it Flow: A slide-over panel (Glassmorphism) showing the specific reason a password failed and a button to "Change on Site."

11. Non-Functional Requirements

  • Performance: Scans of up to 500 credentials must complete in < 5 seconds using Web Workers.
  • Availability: Dashboard must load in < 200ms using the "In-Memory Hybrid" IndexedDB pattern.
  • Privacy: No raw passwords or full hashes ever stored in logs or transmitted to the proxy.

12. Out of Scope

  • Cloud Syncing: No multi-device syncing in Phase 1 to maintain a "zero-knowledge" marketing position.
  • Password Management: The extension will not offer to save new passwords; it is an auditor only.
  • Auto-Change: Programmatic password changing (due to site-specific CAPTCHAs and varying flows).

13. Risks & Mitigations

  • Risk: Chrome's lack of Password API prevents automated audits.
    • Mitigation: Implement a clear, 3-step CSV upload guide and passive monitoring of login forms.
  • Risk: High CPU usage during entropy analysis freezes the browser.
    • Mitigation: Offload all heavy calculations to an Offscreen Document running a pool of Web Workers.
  • Risk: HIBP API Rate Limiting.
    • Mitigation: Implement Redis caching on the Node.js proxy for 5-character prefixes.

14. Implementation Tasks

Phase 1: Project Setup

  • [ ] Initialize extension with Vite 7 and React 19.2.3
  • [ ] Set up Tailwind CSS 4.1.18 with Oxide engine
  • [ ] Configure ESLint 9 (Flat Config) and Prettier
  • [ ] Set up Manifest V3 boilerplate (Background Service Worker, Popup, Content Scripts)

Phase 2: Core Audit Engine & Security

  • [ ] Implement Offscreen Document for heavy processing
  • [ ] Integrate zxcvbn-ts in a Web Worker for entropy analysis
  • [ ] Build Web Crypto module for local metadata encryption (AES-GCM)
  • [ ] Implement SHA-256 hashing for local duplicate password detection

Phase 3: Backend & Integration

  • [ ] Initialize Node.js 24.13.0 LTS & Express 5.1.0 server
  • [ ] Create k-Anonymity HIBP proxy endpoint
  • [ ] Implement Redis caching for HIBP prefix responses
  • [ ] Set up rate-limiter-flexible on the proxy

Phase 4: UI & Dashboard

  • [ ] Build "Bento Grid" dashboard with Tailwind v4
  • [ ] Create circular "Security Score" SVG component
  • [ ] Implement historical trend chart using Recharts/Visx
  • [ ] Build "Change Password" redirect utility with site-specific deep links

Phase 5: Browser Specific Implementation

  • [ ] Implement browser.logins integration for Firefox
  • [ ] Build CSV Parser for Chrome manual audit flow
  • [ ] Implement Passive Monitor content script for Chrome login capture
  • [ ] Finalize "Zero-Knowledge" privacy audit documentation